[Pkg-shadow-devel] audit support

Nicolas François nicolas.francois at centraliens.net
Tue Sep 2 22:11:01 UTC 2008


Hi,

On Tue, Sep 02, 2008 at 04:51:42PM +0200, pvrabec at redhat.com wrote:
> hi folks,
> 
> there is updated audit support. 
> thnx. to sgrubb at redhat.com

Thanks a lot for the patch.

IIRC, AUDIT_ADD_GROUP/AUDIT_ADD_USER were not defined in some previous
versions of libaudit. Do you think it might be useful to redefine it to
AUDIT_USER_CHAUTHTOK if configure detects such case?


I've also added some log in case of *_unlock() failures (this means the
system is left in an inconsistent way).


Note that "adding SELinux user mapping" in useradd.c is not part of
upstream shadow. It might be easier for your later maintenance to change
the audit_logger in the patch that introduce this.


I have some questions regarding the type to use in some cases:
(AUDIT_ADD_GROUP, AUDIT_ADD_USER, AUDIT_USER_CHAUTHTOK?)
 * "changing user defaults" message in useradd.c?
   AUDIT_USER_CHAUTHTOK or no audit log
 * "adding user to group" in useradd
   You changed it to AUDIT_ADD_USER, but it is a modification in the group
   file.
 * gr_unlock() failure in useradd
   (i.e. the user was added, and the group file was possibly changed, and
   there were a later failure when the group file was unlocked)


Is there a need to report to audit if an error is detected before any
changes are committed to the user/group databases (and before the change
is reported to audit)?

Here are some examples:
 + *_lock() failures
   Those failures should be caused by another account management program
   still running.
 + useradd <invalid user name>
 + useradd <already existing user>


Thanks in advance,
-- 
Nekral



More information about the Pkg-shadow-devel mailing list